Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for OpenBlue Workplace (formerly FM Systems) by Johnson Controls

    CVE-2025-26381 (GCVE-0-2025-26381)

    Vulnerability from nvd – Published: 2025-12-17 16:13 – Updated: 2025-12-17 16:45
    VLAI
    Title
    OpenBlue Mobile Web Application configuration issue for optional for OpenBlue Workplace (formerly FM Systems)
    Summary
    Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-425 - Direct Request ('Forced Browsing')
    Assigner
    jci
    Impacted products
    Date Public
    2025-12-04 16:12
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26381",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-17T16:45:41.544710Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-17T16:45:49.543Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OpenBlue Workplace (formerly FM Systems)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThanOrEqual": "2025.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-12-04T16:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSuccessful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.\u003c/span\u003e"
                }
              ],
              "value": "Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-87",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-87 Forceful Browsing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-425",
                  "description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-17T16:13:38.069Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03"
            },
            {
              "url": "https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true\u0026u=aiurfs"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUpgrade to patch level 2025.1.3 or above when available. Note: When this patch is applied, skip the below two steps.\u003c/li\u003e\u003cli\u003eDisable the Mobile Application in Microsoft Internet Information Services (IIS) or Disable the mobile application within Microsoft Internet Information Services (IIS) at the application pool level.\u003c/li\u003e\u003cli\u003eUse the primary OpenBlue Workplace web interface: To complete the tasks you\u0027ve previously accomplished in OpenBlue Workplace Mobile interface, the primary Workplace web interface provides a subset of the Mobile functionality and is available here: [base url]/FMInteract/Default.aspx?DashboardType=Homepage.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "*  Upgrade to patch level 2025.1.3 or above when available. Note: When this patch is applied, skip the below two steps.\n  *  Disable the Mobile Application in Microsoft Internet Information Services (IIS) or Disable the mobile application within Microsoft Internet Information Services (IIS) at the application pool level.\n  *  Use the primary OpenBlue Workplace web interface: To complete the tasks you\u0027ve previously accomplished in OpenBlue Workplace Mobile interface, the primary Workplace web interface provides a subset of the Mobile functionality and is available here: [base url]/FMInteract/Default.aspx?DashboardType=Homepage."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OpenBlue Mobile Web Application configuration issue for optional for OpenBlue Workplace (formerly FM Systems)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2025-26381",
        "datePublished": "2025-12-17T16:13:38.069Z",
        "dateReserved": "2025-02-07T14:15:53.880Z",
        "dateUpdated": "2025-12-17T16:45:49.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26381 (GCVE-0-2025-26381)

    Vulnerability from cvelistv5 – Published: 2025-12-17 16:13 – Updated: 2025-12-17 16:45
    VLAI
    Title
    OpenBlue Mobile Web Application configuration issue for optional for OpenBlue Workplace (formerly FM Systems)
    Summary
    Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-425 - Direct Request ('Forced Browsing')
    Assigner
    jci
    Impacted products
    Date Public
    2025-12-04 16:12
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26381",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-17T16:45:41.544710Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-17T16:45:49.543Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OpenBlue Workplace (formerly FM Systems)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThanOrEqual": "2025.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-12-04T16:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSuccessful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.\u003c/span\u003e"
                }
              ],
              "value": "Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-87",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-87 Forceful Browsing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-425",
                  "description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-17T16:13:38.069Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03"
            },
            {
              "url": "https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true\u0026u=aiurfs"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUpgrade to patch level 2025.1.3 or above when available. Note: When this patch is applied, skip the below two steps.\u003c/li\u003e\u003cli\u003eDisable the Mobile Application in Microsoft Internet Information Services (IIS) or Disable the mobile application within Microsoft Internet Information Services (IIS) at the application pool level.\u003c/li\u003e\u003cli\u003eUse the primary OpenBlue Workplace web interface: To complete the tasks you\u0027ve previously accomplished in OpenBlue Workplace Mobile interface, the primary Workplace web interface provides a subset of the Mobile functionality and is available here: [base url]/FMInteract/Default.aspx?DashboardType=Homepage.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "*  Upgrade to patch level 2025.1.3 or above when available. Note: When this patch is applied, skip the below two steps.\n  *  Disable the Mobile Application in Microsoft Internet Information Services (IIS) or Disable the mobile application within Microsoft Internet Information Services (IIS) at the application pool level.\n  *  Use the primary OpenBlue Workplace web interface: To complete the tasks you\u0027ve previously accomplished in OpenBlue Workplace Mobile interface, the primary Workplace web interface provides a subset of the Mobile functionality and is available here: [base url]/FMInteract/Default.aspx?DashboardType=Homepage."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OpenBlue Mobile Web Application configuration issue for optional for OpenBlue Workplace (formerly FM Systems)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2025-26381",
        "datePublished": "2025-12-17T16:13:38.069Z",
        "dateReserved": "2025-02-07T14:15:53.880Z",
        "dateUpdated": "2025-12-17T16:45:49.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }